Efficient botnet herding within the Tor network

Original Paper


During 2013 the Tor network had a massive spike in new users as a botnet started using Tor hidden services to hide its C&C (Command and Control) servers. This resulted in network congestion and reduced performance for all users. Tor hidden services are attractive to botnet herders because they provide anonymity for both the C&C servers and the bots. The aim of this paper is to present a superior way that Tor hidden services can be used for botnet C&C which minimises harm to the Tor network while retaining all security benefits.


  1. 1.
    arma: [Tor Blog] How to Handle Millions of New Tor Clients. https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients (2013). Accessed 05 Sept 2013
  2. 2.
    Daswani, N., Stoppelman, M.: The anatomy of Clickbot.A. In: Proceedings of the First Conf. on First Workshop on Hot Top. in Underst. Botnets, HotBots’07, pp. 11–11. USENIX Association, Berkeley (2007). http://dl.acm.org/citation.cfm?id=1323128.1323139
  3. 3.
    Hopper, N.: Protecting Tor from botnet abuse in the long term. Tech. Rep. 2013–11-001, The Tor Project (2013). https://research.torproject.org/techreports/botnet-tr-2013-11-20
  4. 4.
    Mathewson, N.: Next-Generation Hidden Services in Tor [Draft]. https://gitweb.torproject.org/torspec.git/blob_plain/398c01be40f957c07d23b4ef6192214aee505703:/proposals/224-rend-spec-ng.txt (2013). Accessed 23 June 2014
  5. 5.
    msft-mmpc: Mevade and Sefnit: Stealthy Click Fraud. http://blogs.technet.com/b/mmpc/archive/2013/09/25/mevade-and-sefnit-stealthy-click-fraud.aspx (2013). Accessed 03 Aug 2014
  6. 6.
    msft-mmpc: Tackling the Sefnit Botnet Tor Hazard. http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx (2014). Accessed 03 Aug 2014
  7. 7.
    Nazario, J.: BlackEnergy DDoS Bot Analysis. Arbor Networks, Burlington (2007). http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf
  8. 8.
    Protect the Graph: Sefnit is Back. https://www.facebook.com/notes/protect-the-graph/sefnit-is-back/1448087102098103 (2014). Accessed 03 Aug 2014
  9. 9.
    Stock, B., Gobel, J., Engelberth, M., Freiling, F.C., Holz, T.: Walowdac-analysis of a peer-to-peer botnet. In: Comput. Netw. Def. (EC2ND), 2009 Eur. Conf. on, pp. 13–20. IEEE (2009).Google Scholar
  10. 10.
    The Tor Project: Tor Metrics. https://metrics.torproject.org/ (2014). Accessed 08 July 2014
  11. 11.
    The Tor Project: Tor Project: Anonymity Online. https://www.torproject.org/ (2014). Accessed 09 July 2014
  12. 12.
    The Tor Project: Tor Rendezvous Specification. https://gitweb.torproject.org/torspec.git/blob_plain/7901fc11a9ecc6e857bf860fecb5ed25bd073378:/rend-spec.txt (2014). Accessed 23 June 2014

Copyright information

© Springer-Verlag France 2014

Authors and Affiliations

  1. 1.The University of AdelaideAdelaideAustralia

Personalised recommendations